Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Rowhammer Variant ‘RAMpage’ Targets Android Devices All Over Again

The attack allows malicious applications to break out of their sandbox and access the entire operating system, giving an adversary complete control of the targeted device.

Researchers have found a new variation of the Rowhammer attack technique they have dubbed RAMpage. The vulnerability could allow an adversary to create an exploit to gain administrative control over targeted Android smartphones and tablets. The flaw impacts Android devices dating back to 2012.

RAMpage follows a string of Rowhammer variants that have come to light since 2015 when researchers initially identified the flaw in DRAM memory in laptops and PCs.

“Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector,” researchers wrote. “[Today] we present rampage, a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses.”

Direct memory access (DMA) is defined by Techopedia as a “method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing the CPU to speed up memory operations. The process is managed by a chip known as a DMA controller (DMAC).”

The original 2015 Rowhammer flaw is a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. This type of bit flipping is also described as electrical crosstalk or transistor leakage. Google’s Project Zero initially discovered the Rowhammer vulnerability and showed how a malicious app could produce these bit flips in cells and gain kernel-level privileges to laptops and PCs.

In 2016, researchers figured out how the PC-based Rowhammer attack technique could be applied to Android devices and give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.

This Drammer attack differed slightly from Rowhammer in that it relies on the Flip Feng Shui exploitation technique. A Flip Feng Shui exploitation technique carefully selects the sizes of the portion of memory where dynamically allocated memory resides (heap). Next, the Rowhammer attack targets that portion of memory which can “flip” – or change the state of adjacent memory bits – creating circumstances ripe for memory manipulation. Those bit flips could include simply changing a 0-to-1 or 1-to-0, according to researchers.

The latest variant, RAMpage, works in similar ways. It targets an Android’s universal generic memory management system called ION introduced by Google in 2011 as part of Android 4.0. It’s part of a subsystem used to manage and allocate memory. An attack consists of a write and refresh request on the device’s RAM until it flips a bit in an adjacent row. This opens the door to the device compromise.

The prerequisite for a likely attack is a user installing an unprivileged app capable of carrying out the attack. “We consider an attacker with full control over a zero-permissions holding, unprivileged Android app that is running on the victim’s device,” researchers wrote.

The good news is the researchers have also released a tool called Guardion, a software-based mitigation against rampage attacks. “It prevents an attacker from modifying critical datastructures by carefully enforcing a novel isolation policy,” researchers wrote. “Although Guardion is not deployed in operating systems yet, there are ongoing efforts to realize this. The source code for Guardion is available online in the form of Android kernel patch.” Currently the patch is not widely available and only tested for Google Pixel, running Android 7.1.1 (Nougat).

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.